Updated 29 May 2021
This week I talk about costs that are often overlooked when dealing with ransomware attacks.
I am signed up to many newsletters and Google alerts on cyber incidents, and I never cease to be amazed by the sheer number of organisations that have ransomware attacks. I did my PhD in Emergency Planning and Disaster Management at the University of Hertfordshire; therefore, it is the latest in a long line of universities that caught my eye. This week I wanted to share my thoughts and alert you to the hidden costs of ransomware attacks. Often the cost of the actual ransom pales into insignificance compared to the hidden costs of the attack.
The Cost of Ransom
The most obvious cost of a ransomware attack is the amount of ransom demand. When an organisation is attacked, you should remember that you are not dealing with amateurs. The people who conduct these attacks are professionals and often very good at what they do. Almost all ransomware attacks are specifically targeted, as criminals believe that they will make money out of the organisation. Ransom demands are calculated carefully, and what the attackers think you might pay or the absolute most you can afford is considered. I heard from one organisation that the ransom note demanded the exact amount of money they had in their current account at the time. Others who have been victims of a ransomware attack all state that the attackers make the demands very obvious. I have even heard of instances where they have rung up the organisation if they feel they are not being listened to.
Impact on Customers
One of the highest costs of an attack is the impact on the organisation’s customers, who are likely to lose trust in the company. Customers entrust you with all their data. If your organisation loses control of it, this could lead to customers leaving, and in turn, going to your competitors or contacting customer services asking for discounts either immediately or when their contracts are up for renewal. Suppose your website is down or a cyber-attack paralyses your organisation. In that case, you may not be able to provide goods and services to your customers, which can significantly impact your revenue and service delivery.
When customers purchase goods and services through your website, they could be greeted with a notification giving them details of the cyber-attack. Many people might decide not to buy goods from you as it looks as though your organisation is untrustworthy. Once you have lost customers or market share, you may have to offer discounts or run additional advertising campaigns to get back to where you were before the ransomware attack.
Be aware that the GDPR fines may be more considerable than the ransom demanded. An example of this is Marriott Hotel who were initially fined £100m for their data loss, and this was reduced to £18m on appeal. British Airways were fined £20m for failing to protect the personal and financial details of more than 400,000 customers, and their initial fine was £183m! Both these cases weren’t ransomware attacks but gives you an idea of the level of fines that the ICO is looking to impose on organisations who lose control of data in their possession.
When there are many members of the public who have been affected by the data breach, law firms can put together a class action that they would conduct on a no win, no fee basis. The class action, in turn, could lead to additional costs for the organisation or an increase to their insurance plan if they covered these claims.
Cost of Rebuilding Systems
After a ransomware attack, the cost of rebuilding systems can be expensive as it involves the complete rebuild of all their software and the purchase of new equipment. For example, the news reported that the cost of the SEPA cyber-attack is £800,000 to date. The government gave Redcar and Cleveland Council £3.68m to cover the cost of their cyber incident, although they claim it cost them around £10m. The Mayor of Hackney, Philip Glanville, stated that the cyber-attack on Hackney Council in October 2020 was likely to cost the borough around £10m, similar to the cost of Redcar’s attack. Norsk Hydro, a Norwegian aluminium and renewable energy company reported that their cyber incident cost them approximately $60m. The cost of the ransomware attack on HSE the Irish Heath Services in May 2021 is being reported as going to cost the Irish Government up to €100m.
Time Management and Effort
The final cost is hidden and often overlooked, but it can have a major impact on organisations, and it is the sheer time management and effort in responding to the incident. The response prevents them from using their energy and time in driving the organisation forward. The one to two-year response and dealing with the aftermath causes organisations to stagnate while their competitors move forward.
Short selling of your stock
According to SC magazine “the DarkSide ransomware group is openly coaxing stock traders to reach out and receive the inside scoop on the gang’s latest corporate victims, so they can short sell their stock before any data is leaked and the news goes public”. Ransomware gangs always are always looking for new and inventive ways to make money. If your stock is being shorted then this is just another additional cost of ransomware.
Many organisations, when faced with a ransomware demand, are aware of all these costs. In terms of cost-benefit, they can see it is a lot more beneficial to pay the ransom rather than have the pain and costs of recovering their systems and admit to all their stakeholders that they have lost control of their data. There are also many reasons not to pay a ransom, but I will leave this until another bulletin, so keep your eyes peeled!
For those looking to learn more about ransomware, there are lots of good resources on the FireEye site here.